US20110035591A1 - Enterprise instant message aggregator - Google Patents
Enterprise instant message aggregator Download PDFInfo
- Publication number
- US20110035591A1 US20110035591A1 US12/907,466 US90746610A US2011035591A1 US 20110035591 A1 US20110035591 A1 US 20110035591A1 US 90746610 A US90746610 A US 90746610A US 2011035591 A1 US2011035591 A1 US 2011035591A1
- Authority
- US
- United States
- Prior art keywords
- enterprise
- service
- mobile station
- mobile
- communication network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000004891 communication Methods 0.000 claims abstract description 68
- 238000000034 method Methods 0.000 claims abstract description 29
- 238000010200 validation analysis Methods 0.000 claims abstract description 13
- 230000004044 response Effects 0.000 claims description 18
- 238000010295 mobile communication Methods 0.000 claims description 14
- 230000000977 initiatory effect Effects 0.000 claims 1
- 238000013475 authorization Methods 0.000 description 26
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 238000013459 approach Methods 0.000 description 3
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 235000006508 Nelumbo nucifera Nutrition 0.000 description 1
- 240000002853 Nelumbo nucifera Species 0.000 description 1
- 235000006510 Nelumbo pentapetala Nutrition 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3226—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/045—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply hybrid encryption, i.e. combination of symmetric and asymmetric encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
- H04W12/033—Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
Definitions
- IM service was offered as a text messaging service between users' computers connected to the Internet.
- wireless mobile devices such as cellular telephones, wireless email devices and personal digital assistants (PDAs).
- PDAs personal digital assistants
- U.S. Pat. No. 7,120,455 to Chen et al. discloses a technique for mobile instant messaging, particularly adapted to provide interfaces to a number of different IM systems or communities.
- these communities are those served by commercial IM providers, such as AIM, MSN, Yahoo IM or the like.
- the enterprise IM service aggregator may also offer a ‘KILL’ feature, by which an enterprise can direct the aggregator to terminate service to a particular mobile station, e.g. upon determination that the station has been stolen.
- the ‘KILL’ function causes the network to disable the service on the mobile station, and in the example, this function causes the aggregator to send a message through the network to the stolen mobile station instructing that station to delete all stored IM messages and/or any IM service credentials that have been stored in the mobile station.
- FIG. 2 is a signal flow diagram illustrating a procedure for establishing and conducting an enterprise IM session through the aggregator.
- FIG. 3 is a signal flow diagram illustrating a self-provisioning of a mobile station, for enterprise IM communication through the aggregator.
- enterprise IM is the delivery of text or other media messages between two enterprise users in near-real time.
- users typically will be restricted to the same enterprise community and in general will not have access to commercial IM communities for business related IM.
- a wireless network operator/carrier or other service provider will provide a mechanism/service/procedure to extend the IM communications to wireless devices and provide the requisite security for enterprise IM communications to/from the wireless devices.
- the SMS message will also provide an instruction to the IM application to erase all messages and user credentials stored within that mobile station 15 .
- the service control 27 will also notify the provisioning system(s) 47 to deactivate service to the mobile station 15 , for example, by deleting any associated profile data from the authorization system 41 and/or by sending another message to the mobile station 15 to delete any provisioning data for at least the IM service, which may be stored in the mobile station itself.
- FIG. 2 It may be helpful at this point to consider an example ( FIG. 2 ) of a call or signal flow, as an example of the processing of an IM communication session facilitated through the aggregator 21 .
- the login request message communication would involve one or more packet transmissions through the carrier's WDN network 13 , possibly the gateway 19 (if the mobile station is a BREW device) to one of the gateways 31 , 33 in the aggregator 21 , which in turn forwards the message packet(s) to the service control 27 .
- the authorization query identifies the mobile station by its MDN and includes a feature code essentially to identify the EIM service that the user is attempting to access.
- the carrier's service/feature authorization element uses the MDN to look-up a service profile for the particular mobile station 15 or 17 , and it uses the feature code to determine whether or not the profile shows that the particular mobile station is authorized to access the EIM service via the network 10 (step S 3 ).
- This authorization check may involve checking of a number of other parameters.
- the authorization element can check the domain portion of the user name/email address to confirm that the domain corresponds to an enterprise that subscriber to the EIM service for mobile stations through the network 10 .
- the authorization element can also check that the particular user is authorized for the EIM service based on the combination of username and password.
- the authentication query sent to the enterprise IM server 37 in step S 5 is encrypted.
- the service control 27 in the aggregator has previously received a public encryption key from the enterprise IM server 37 .
- the example uses Advanced Encryption Standard (AES) encryption or Triple Data Encryption Algorithm (3DES or TDES) encryption.
- AES Advanced Encryption Standard
- 3DES Triple Data Encryption Algorithm
- the service control 27 in the aggregator uses the AES or 3DES public key of the enterprise IM server 37 to encrypt the authentication query.
- Each enterprise will provide its public key (and possibly identify the particular encryption algorithm) when the enterprise signs-up with the carrier for the EIM service through the network 10 .
- the keys may be changed from time to time, in which case the respective enterprise server will provide an updated public key to the carrier, for use by the aggregator 21 .
- the device client When the device client was initially activated (prior to sending the login request at S 1 ), that client was generic to data service through the carrier's network 10 . However, based on the response at S 8 , the device client becomes a specific client program for EIM service through the network with the particular enterprise server, in this example, the server 37 . Hence, at step S 9 the device client causes the mobile station to form a login request for the particular IM server 37 .
- This request contains the username and a password.
- the password may be the same as at S 1 (for network validation) or a second password for enterprise validation.
- the enterprise login request message also contains an AES key, which is generated by the device client.
- the mobile station encrypts the enterprise login request message using the RSA public key of the aggregator 21 .
- the user of the mobile station enters text or other information for an IM message, and the device client encrypts that information using the AES key.
- the mobile station sends the AES encrypted IM payload through the network 10 to the IM server 37 .
- the network 10 including the aggregator 21 , is transparent to this message. Although the message is routed through the aggregator, for security, the aggregator 21 does not decrypt the message.
- the IM server 37 at the enterprise passes the IM payload to the appropriate device client in the enterprise community (step S 14 ).
- the server may decrypt the payload before communication to the device client, or the server may pass the payload on in encrypted form for decryption by the device client.
- the device client of the receiving party processes the message and presents the IM message to the user at the receiving end, in a normal manner.
- the user inputs appropriate information, and the device client causes the mobile station to initiate a service request transmission in step S 26 , which the aggregator 21 routes to the carrier's provisioning gateway (gateway 45 in FIG. 1 ) in step S 27 .
- the gateway provides an interface to other provisioning element(s) 47 for interaction with the user (S 28 ) to activate the service with respect to the user and the user's mobile station.
- the provisioning system may enter the EIM feature code in the user/mobile station profile in the element 41 performing the carrier's service/feature authorization. Provisioning data also may be downloaded into the mobile station.
- the gateway sends a message indicating successful completion back to the aggregator in step S 29 , and the aggregator 21 routes that message through to the device client on the user's mobile station in step S 30 .
- GSM Global System for Mobile
Abstract
Description
- The present disclosure relates to techniques and equipment to aggregate enterprise instant message traffic for wireless client devices.
- Instant Messaging (IM) is the delivery of text or other media messages between two users in near-real time. IM allows a user to maintain a buddy or contact list, listing people with whom the user might exchange instant messages. The user selects a person from the list that is currently logged-in with respect to the IM service and establishes a data communication session with a remote device being used by the selected person. In a personal computer type implementation, the IM software on the user's device opens a window on the computer display. Typically, the window includes two parts, each of which provides a slightly different functionality. One part of the window allows the user to type messages for transmission to the remote user device, whereas the other part receives messages from the remote user device and displays those messages to this user. The remote user's device will provide similar input and display functions, and in this way, both users can read what the other has typed.
- Originally, IM service was offered as a text messaging service between users' computers connected to the Internet. However, as the popularity of IM services grew, the IM service offerings were extended to users of wireless mobile devices, such as cellular telephones, wireless email devices and personal digital assistants (PDAs). U.S. Pat. No. 7,120,455 to Chen et al., for example, discloses a technique for mobile instant messaging, particularly adapted to provide interfaces to a number of different IM systems or communities. However, these communities are those served by commercial IM providers, such as AIM, MSN, Yahoo IM or the like.
- Much of the IM traffic today is between individual users/customers, for example, to permit chat between friends and family members. However, enterprises have found that the real time text communication offered by IM services also provides a valuable collaborative tool between enterprise personnel, in the context of a wide range of commercial, educational and governmental activities. IM services typically involve text communication; but increasingly, such communications can communicate a variety of other types of information media, such as voice, images and video in near real time, both in private IM services and enterprise IM services. Hence, enterprise IM typically entails the delivery of text or other media messages between two enterprise users in near-real time.
- Use of IM by enterprise personnel, however, raises a number of unique concerns. The overriding concern is security. Many of the IM messages between enterprise personnel may contain highly confidential information of the enterprise, and the enterprise has an attendant need to prevent misdirection or interception of the messages.
- US application publication no. 2003/0204741 to Schoen et al. proposed a secure public key infrastructure type proxy for instant messaging clients. The publication describes an encryption technique. Although the publication recognizes the need of businesses and government entities for security, the encryption is apparently implemented in a non-corporate environment utilizing commercial IM services. For example, the publication suggests public key infrastructure proxies may be implemented on the IM servers and client devices themselves. There is no mention of how the IM service would be extended securely into the wireless domain, that is to say to wireless mobile client devices.
- In actual practice, enterprise IM services have been deployed using one of two approaches. One approach is for the Enterprise IT policy to allow the use of commercial IM services such as Yahoo, AIM and MSN. These services are readily available but do not have secure messaging capability.
- The other, more secure approach used to date in actual deployments implements the enterprise IM service within the enterprise environment, from desktop to desktop. IM traffic can be readily sent within existing messaging environments such as IBM Lotus Instant Messaging (Sametime) and Microsoft Office Live Communications Server (LCS). These messaging environments only support IM within their platform or community and do not extend IM onto other messaging environments including commercial IM services such as Yahoo, America On-Ling IM and MSN communities. Security includes encryption of user credentials (user name and password), message content and logging of conversations. Also, in these secure enterprise IM environments, the IM messages are prohibited from going to or coming from a wireless device.
- Hence, there is a need for a technique to extend secure IM service for an enterprise to wireless devices that may participate in IM sessions via a public mobile or wireless communication network. Clearly, the security for the enterprise IM message needs to be extended to the wireless device, including through the wireless network that provides communications with the wireless/mobile device.
- An aggregator in a wireless communication network aggregates IM traffic for a number of enterprise IM communities and aggregates IM traffic with respect to mobile stations of users associated with each of those enterprise IM communities. The aggregator facilitates security on the IM communications with the mobile station.
- The enterprise IM service aggregator in the detailed examples below provides a mechanism to validate mobile stations and/or mobile station users for the service through the wireless communication network. In the examples, the enterprise IM service provides a secure messaging environment that allows IM traffic to/from a wireless mobile station. The security offered may be unique to and controlled by each enterprise, for example, by enabling each enterprise to generate its own encryption key for distribution through the aggregator and/or by allowing mobile stations to generate their own keys for distribution back through the aggregator to the enterprise IM servers. Also, the key exchanges are encrypted. For example, the Login Credentials are encrypted from the mobile station to the enterprise IM server. The use of standard encryption methods within the call flows allows a simple method of ensuring that only authorized users can access the enterprise servers and that the messages will be encrypted by the strongest possible means. The messages can not be decrypted unless the keys are previously known. This ensures that anyone that attempts to access the messages from the wireless environment can not decrypt the messages or the login credentials of the enterprise community.
- The examples disclosed below also facilitate provisioning of a mobile station for use of the enterprise IM service through the wireless communication network, e.g. when the aggregator determines that a mobile station or user are not yet authorized for the service.
- The enterprise IM service aggregator may also offer a ‘KILL’ feature, by which an enterprise can direct the aggregator to terminate service to a particular mobile station, e.g. upon determination that the station has been stolen. The ‘KILL’ function causes the network to disable the service on the mobile station, and in the example, this function causes the aggregator to send a message through the network to the stolen mobile station instructing that station to delete all stored IM messages and/or any IM service credentials that have been stored in the mobile station.
- Additional advantages and novel features will be set forth in part in the description which follows, and in part will become apparent to those skilled in the art upon examination of the following and the accompanying drawings or may be learned by production or operation of the examples. The advantages of the present teachings may be realized and attained by practice or use of the methodologies, instrumentalities and combinations particularly pointed out in the appended claims.
- The drawing figures depict one or more implementations in accord with the present teachings, by way of example only, not by way of limitation. In the figures, like reference numerals refer to the same or similar elements.
-
FIG. 1 is a high level functional block diagram of a wireless carrier's network that may offer the secure instant messaging service through an aggregator, to a number of the carrier's enterprise customers. -
FIG. 2 is a signal flow diagram illustrating a procedure for establishing and conducting an enterprise IM session through the aggregator. -
FIG. 3 is a signal flow diagram illustrating a self-provisioning of a mobile station, for enterprise IM communication through the aggregator. - In the following detailed description, numerous specific details are set forth by way of examples in order to provide a thorough understanding of the relevant teachings. However, it should be apparent to those skilled in the art that the present teachings may be practiced without such details. In other instances, well known methods, procedures, components, and circuitry have been described at a relatively high-level, without detail, in order to avoid unnecessarily obscuring aspects of the present teachings.
- For purposes of the detailed description here, enterprise IM is the delivery of text or other media messages between two enterprise users in near-real time. For enterprise security, users typically will be restricted to the same enterprise community and in general will not have access to commercial IM communities for business related IM. However, a wireless network operator/carrier or other service provider will provide a mechanism/service/procedure to extend the IM communications to wireless devices and provide the requisite security for enterprise IM communications to/from the wireless devices.
- The Enterprise Instant Messaging (EIM) service is deployed in a public wireless telecom network, and the network operator or carrier offers the service to its enterprise customer base. The carrier-centric deployment model uses an Instant Messaging aggregator, to aggregate connections from various enterprises. The EIM service, using the traffic aggregator, provides secure IM to mobile stations using a combination of encryption and trusted connection of service elements. The aggregator provides a single interface to the wireless telecom network. The aggregator provides a means of allowing IM traffic from an enterprise secure server environment to wireless devices, such as mobile handsets and PDAs. The enterprise server environment will reside in a single or multiple locations and is often referred to as a community. The aggregator provides all the necessary protocol conversations to allow IM traffic between an IM community server and a wireless mobile station. These protocols are those that are native to both the wireless handset and the enterprise IM community server. The aggregator also provides all the necessary protocols to the wireless network. The aggregator also provides all the necessary routing of IM traffic to the authenticated wireless device user.
- The aggregator also provides other features necessary to meet the requirements of each enterprise customer's IT policy and wireless network, such as one or more of the following:
-
- Secure login into the IM server environment
- Secure processing of all user login and IM server information to setup the traffic path
- Secure transmission of the IM payload between the wireless device and the IM server using standard encryption methods
- Secure access to the IM service by authenticating the user first to the wireless network and second to the IM server
- Administrative functions such as white list/black list of users and handset “kill” function to disable the service on the mobile station
- Provisioning of the service on the wireless network.
- With that overview of the exemplary Enterprise Instant Messaging (EIM) service, it may be helpful now to consider a possible implementation example in more detail with reference to the accompanying drawings.
-
FIG. 1 is a functional block diagram, illustrating elements of a wireless carrier'snetwork 10 that may offer the EIM service to a number of the carrier's enterprise customers and illustrating some of the enterprise customer equipment. At a high level, the carrier'snetwork 10 includes a wireless data network (WDN) 13 for providing mobile wireless communications services to any number of mobile stations. Although theWDN 13 allows the carrier to offer services to individual customers (whose devices are omitted for convenience), for purposes of this discussion, theWDN network 13 provides wireless communication service to mobile stations of personnel of one or more enterprise customers. In the drawing, the mobile stations of the enterprise personnel are represented by themobile stations - The
WDN 13 may be any of a number of currently available public wireless/mobile communication networks, which often offer various combinations of voice telephone services and packet-data communications services. For example, theWDN 13 might be implemented as a network conforming to the IS-95 standard, the 3rd Generation Partnership Project 2 (3GPP2) wireless IP network standard or the Evolution Data Optimized (EVDO) standard, the Global System for Mobile (GSM) communication standard, a time division multiple access (TDMA) standard or other standards used for public mobile wireless communications that offer the packet data transport used for instant messaging. Themobile stations mobile stations WDN network 13 provides wireless IP packet communications to and from each of themobile stations -
Mobile station 15 is a BREW device, that is to say a mobile station device that utilizes Qualcomm's Binary Runtime Environment for Wireless operating system. BREW can be considered an environment that allows general purpose applications to be written for mobile stations. Such applications are easily installed in the mobile stations, including via wireless download through theWDN network 13. Of note for purposes of this discussion, themobile station 15 of the enterprise employee will have a BREW compatible application loaded therein to configure thedevice 15 to perform the functions and provide the appropriate user interface for instant message type communications. - In the example, the carrier normally supplies BREW type mobile telephone devices like the
mobile station 15 to its regular telephone service subscribers. TheWDN network 13 provides telephone and packet data service, including packet data service in support of IM. The carrier also operates or provides access to agateway server 19 to support IM type services for its regular subscribers. Thisgateway 19 is the primary instant messaging interface for BREW devices through thenetwork 13. TheIM gateway 19 provides the IM protocols necessary to provide IM services to BREW devices. It can be a separate service provider or it can be part of the aggregator. Putting it outside the aggregator function as in the example illustrates and highlights a protocol conversation function of the aggregator. -
Mobile station 17 is a non-BREW device, that is to say a device that utilizes an operating system other than BREW, although such operating systems often allow general purpose applications to be written for the device in a manner somewhat similar to BREW. These devices include PDA's, Smartphones, and other mobile computing devices that perform the same functions as a desktop or laptop computer but that still may use theWDN network 13 for packet data communications. As discussed more below, the carrier provides enterprise IM service to/from themobile stations 17, as well. - To provide the secure EIM service, the
carrier network 10 includes an enterprise instant message (EIM)aggregator 21, to aggregate connections fromvarious enterprises network 10. The EIM service, using thetraffic aggregator 21, provides secure IM tomobile stations enterprise community 23. Theaggregator 21 includes aService Control server 27. TheService Control server 27 performs all the necessary functions relating to login and message encryption, protocol conversion and control of access to the EIM service. TheService Control server 27 may be implemented on a general purpose computer having packet switched data communication capabilities and/or by a combination of a router and a programmable control/processor, configured to implement the control and security functions outlined below. - Each enterprise will operate its own systems to provide various communications, including secure IM, within its own respective domain or premises. Each IM community typically is comprised of an Instant Messaging Server and numerous IM clients that are resident on a variety of computing and local wireless devices. These devices include desktop computers and workstations, laptop computers, Personal Digital Assistants (PDAs), and mobile/handheld computers. The
aggregator 21 allows the extension of the IM community to cell phones and PDAs as well as other wireless computing devices, represented by themobile stations - Consider the
community 23 by way of an example. There, users in the enterprise IM community will have various client devices, represented generically by thedesktop computers laptop computer 35. The enterprise will provide packet data communications to/from these and other data devices within the enterprise premises, using any desirable wired or wireless communication technologies. For IM communications, the enterprise will also operate itsown IM server 37. TheIM server 37 provides user/device authentication and encryption key management for security. Presence information indicating which enterprise users are currently on-line for the IM communications typically is exchanged via theIM server 37. TheIM server 37 typically participates in the IM message exchange between IM client devices, 31, 33, 35, although it is possible that some implementations might utilize a peer-to-peer communication for the actual message exchanges. - The
aggregator 21 includes a number of gateway servers. The gateway servers, 29, 31 and 33 may be implemented on appropriate routers and/or computers having packet switched routing capabilities and sufficient intelligence to implement associated security functions, such as firewall and/or proxy functions as outlined below. Connectivity to the gateway servers in theaggregator 21 can be made using a Secure VPN or a Private Line. Each of these gateway servers provides a high level of security in and of itself. A secure VPN establishes a connection over the Internet. The Internet connection is not considered secure by itself. Establishing a VPN ensures a secure connection between the aggregator and the other server. The use of a private line makes use of dedicated connection from the aggregator to the other server. Common implementations of private lines include T1 and Fast or Gigabit Ethernet. - In the example, a
gateway server 29 provides the VPN interface to theenterprises IM server 37 of theenterprise community 23 and thegateway server 29. Thegateway server 29 implements proxy and firewall functions, to protect theaggregator 21 and thenetwork 10 from any malicious traffic that otherwise might enter from theenterprise community 23 or from any of theenterprise communities 25. - Another
gateway server 31 provides the secure interface for IM communications that pass through theIM gateway 19 for BREW Devices. In the example, the link between thegateways WDN network 13 supportsnon-BREW devices 17, then theaggregator 21 includes agateway server 33 having a secure VPN or private line type link with theWDN 13 for IP traffic to/from suchmobile stations 17. Thegateway servers Service Control server 27 to servers outside theaggregator 21. Eachgateway server aggregator 21 from potentially harmful or disruptive traffic that might otherwise enter via the respective interface. - The
aggregator 21 can be thought of as the “traffic cop” for the service, as it is the focal point for all the necessary service functions. Theaggregator 21 implements a secure environment so that thewireless device community 23 with which the particular mobile station(s) 15 or 17 is affiliated. Theservice control element 27 performs these and related functions. Thegateways Service Control 27 may include: -
- Secure Service Login
- Encrypted Login Credentials
- Encrypted Message Payload
- Service Provisioning
- Protocol Conversion
- Handset Service KILL function
- Service Notifications
- To control service and/or features that the
network 10 may provide to the various customers of the carrier, the network will typically include one or more systems for validating the mobile stations and/or their users to receive specific services or access specific features. Hence, in the example, thenetwork 10 includes asystem 41 for service/feature authorization. The service feature authorization may be implemented in association with authentication and accounting functions, for example, in the form of a AAA (Authentication, Authorization and Accounting) server, in association with billing functions implemented by EDR (Electronic Data Reporting) or the like, or in a number of other forms commonly found in wireless networks. Of note for purposes of the present discussion, theservice control 27 in theEIM aggregator 21 will interact with theauthorization system 41 as necessary, to determine that eachmobile device - The carrier that provides services through the
network 10 also operates its own system orsystems 43 for provisioning the network elements and/or mobile stations of its customers for mobile station operation through thenetwork 10. For example, when a new mobile station is activated, theprovisioning system 43 typically loads some necessary information or programming into the mobile station, such as its assigned mobile directory number (MDN), and theprovisioning system 43 loads an appropriate service profile record into thesystem 41 that will control service/feature authorization for that device, essentially to authorize the new mobile station to access particular network services and features. The example shows aprovisioning gateway 45 and one or more otherservice provisioning systems 47. Theprovisioning gateway 45 provides a web interface or the like at which a user of amobile station WDN network 13. Of note for purposes of the present discussion, theservice control 27 in theEIM aggregator 21 may instruct the user to access theprovisioning systems 43, e.g. via theprovisioning gateway 45, as part of the initial set-up ofmobile devices - In general, the features of the EIM service may include:
-
- Secure Service Login to the Enterprise and the wireless network
- Validation of the handset to the wireless network to avoid spoofing from unauthorized handsets
- Encrypted Log In Credentials to the Enterprise community
- Encrypted Message Payload from the wireless handset to the Enterprise community: End-to-end encryption
- Service Provisioning in the wireless network
- Protocol Conversions between the wireless handset and the Enterprise community
- Handset Service KILL functions to remove all messages and credentials that are on the handset if the handset should be lost or stolen
- Service Notifications from the aggregator to the wireless handset that inform the user of significant service notices
- One of the features of the EIM service, as outlined above, is the Service KILL function. This function utilizes wireless network short message service (SMS) wake up to erase all messages and user credentials if the enterprise directs the carrier to terminate service to a particular mobile station, e.g. if a handset should be lost or stolen. Essentially, personnel of the enterprise will cause the
IM server 37 to send a KILL message to theservice control 27 in theaggregator 21 identifying the stolen mobile station. Assume for this discussion that the stolen mobile station isstation 15. The KILL message identifies the particularmobile station 15, and in response, theservice control 27 will transmit a SMS type message through theWDN network 13 to thatmobile station 15 instructing the station to wake-up the IM application on that station. The SMS message will also provide an instruction to the IM application to erase all messages and user credentials stored within thatmobile station 15. Theservice control 27 will also notify the provisioning system(s) 47 to deactivate service to themobile station 15, for example, by deleting any associated profile data from theauthorization system 41 and/or by sending another message to themobile station 15 to delete any provisioning data for at least the IM service, which may be stored in the mobile station itself. - It may be helpful at this point to consider an example (
FIG. 2 ) of a call or signal flow, as an example of the processing of an IM communication session facilitated through theaggregator 21. - The example of an EIM communication begins after the user has activated the appropriate IM communication client application on the user's
mobile station aggregator 21. Although not separately shown in the call flow diagram, the login request message communication would involve one or more packet transmissions through the carrier'sWDN network 13, possibly the gateway 19 (if the mobile station is a BREW device) to one of thegateways aggregator 21, which in turn forwards the message packet(s) to theservice control 27. - The aggregator will validate the wireless handset to ensure that the handset accessing the service is authorized to do so. The request message from the device client will include information about the mobile station as well as the user, for example, the mobile directory number (MDN) assigned to the
particular mobiles station service control 27 uses information from the login request to formulate an authorization query, essentially a request to determine if the user's mobile station is authorized for the EIM service through the carrier'snetwork 10. At step S2, theservice control 27 in the aggregator sends this authorization query to theelement 41 that performs the carrier's service authorization function. The element may be an AAA server, an EDR unit in the billing center or other designated system. - The authorization query identifies the mobile station by its MDN and includes a feature code essentially to identify the EIM service that the user is attempting to access. The carrier's service/feature authorization element uses the MDN to look-up a service profile for the particular
mobile station network 10. The authorization element can also check that the particular user is authorized for the EIM service based on the combination of username and password. In this example, we will assume that validation at S3 is successful. For example, the user's mobile station is authorized to use the EIM service, the domain name portion of the username (email address) is that of an enterprise community served by theaggregator 21, and the username/password identify a valid user of the EIM service. - Based on the result of the authorization determination at S3, the carrier's service/feature authorization element will respond to the initial query message (from step S2). In this example, since the mobile station is authorized to use the EIM service, the authorization element sends back a message (at S4) informing the
service control 27 in theaggregator 21 that the MDN (and thus the particular mobile station) is provisioned for the EIM service. This may also effectively confirm that the domain is that of a valid EIM enterprise and that the particular user is authorized service through the network (entered a valid password associated with the username). - As noted above, the initial login request at S1 included the username, which is the user's email address. The email address includes a domain name following the @ symbol, which corresponds to the enterprise community to which the user is attempting EIM access. Based on that domain name, the
service control 27 in the aggregator can determine the address for the messaging server of the particular enterprise, such as theserver 37 of theenterprise community 23 in the example ofFIG. 1 . Using that address, theservice control 27 in the aggregator responds to the determination that the mobile station is provisioned through the network for the EIM service by launching an authentication query (step S5) through thegateway 29 to the appropriate enterprise server (server 37 in our example), requesting that the particular IM server authenticate the user for IM communications with the associatedIM community 23. - The authentication query sent to the
enterprise IM server 37 in step S5 is encrypted. In the example, theservice control 27 in the aggregator has previously received a public encryption key from theenterprise IM server 37. The example uses Advanced Encryption Standard (AES) encryption or Triple Data Encryption Algorithm (3DES or TDES) encryption. Hence, theservice control 27 in the aggregator uses the AES or 3DES public key of theenterprise IM server 37 to encrypt the authentication query. Each enterprise will provide its public key (and possibly identify the particular encryption algorithm) when the enterprise signs-up with the carrier for the EIM service through thenetwork 10. The keys may be changed from time to time, in which case the respective enterprise server will provide an updated public key to the carrier, for use by theaggregator 21. - The encrypted authentication query contains the username. The
enterprise IM server 37 uses its AES or 3DES private key to decrypt the query and recover the username. Theenterprise IM server 37 then checks its database of user information to check the validity of the received username (step S6). In the example, we have assumed that the username is valid, therefore the validity check at S6 is successful; and at S7, theenterprise IM server 37 sends back a response message indicating the successful validation of the username. - In response to receipt of the message indicating the successful validation of the username, the
service control 27 now sends back (S8) its response to the initial login request (its response to the request it received at S1). The response message goes back through the gateway and theWDN network 13 to the device client application running in the user'smobile station network 10. Theservice control 27 also supplies the RSA (Rivest, Shamir and Adleman) public encryption key of theaggregator 21 to the device client in the mobile station, as part of the response message sent in step S8. - When the device client was initially activated (prior to sending the login request at S1), that client was generic to data service through the carrier's
network 10. However, based on the response at S8, the device client becomes a specific client program for EIM service through the network with the particular enterprise server, in this example, theserver 37. Hence, at step S9 the device client causes the mobile station to form a login request for theparticular IM server 37. This request contains the username and a password. The password may be the same as at S1 (for network validation) or a second password for enterprise validation. The enterprise login request message also contains an AES key, which is generated by the device client. The mobile station encrypts the enterprise login request message using the RSA public key of theaggregator 21. At step S9, the mobile station sends the encrypted enterprise login request message through thenetwork 10 to theIM server 37 of the enterprise community. Theaggregator 21 provides routing, via the appropriate gateways, however, the aggregator passes the message through transparently, e.g. without decrypting the message. - The carrier will have supplied the matching RSA private key of the aggregator to the enterprises that subscribe to the EIM service. Hence, the
enterprise IM server 37 will use that key to decrypt the login request that it receives in step S9. In this way, theenterprise IM server 37 will recover the username and password, and it can validate the password for the respective username (step S10) based on its own internal user profile records. In the example, it is assumed that this validation also is successful. Hence, the server at the enterprise responds with a message (S11) indicating successful authentication, which it encrypts using the AES encryption algorithm and sends back to theaggregator 21 for forwarding (S12) to the device client in themobile station aggregator 21 actually may be considered as a single step (like that of S9) since the aggregator passes the response message through transparently, e.g. without decrypting the message. - The user of the mobile station can now initiate an IM communication with another member of the enterprise IM community. The
enterprise IM server 37 supports session set-up between users in a conventional fashion. The other client participating in the IM session may be a device within the enterprise domain, e.g. at one of the devices 31-35, or the other client may be another mobile station that is on-line (has successfully completed the login procedure as outlined above). Actual IM communication may subsequently ensue. Steps representing a single two-way exchange of messages with a party at the enterprise are shown for simplicity, although those skilled in the art will recognize that the subsequent IM communications may include any number of message transmissions. - In the example, the user of the mobile station enters text or other information for an IM message, and the device client encrypts that information using the AES key. At step S13, the mobile station sends the AES encrypted IM payload through the
network 10 to theIM server 37. Thenetwork 10, including theaggregator 21, is transparent to this message. Although the message is routed through the aggregator, for security, theaggregator 21 does not decrypt the message. TheIM server 37 at the enterprise passes the IM payload to the appropriate device client in the enterprise community (step S14). Depending on how the enterprise implements its IM communications, the server may decrypt the payload before communication to the device client, or the server may pass the payload on in encrypted form for decryption by the device client. The device client of the receiving party processes the message and presents the IM message to the user at the receiving end, in a normal manner. - The device client of that second party also offers that party a user interface for entering and sending a response. In the example, that user now enters text or other information for an IM message, and the device client sends that responsive IM message payload back to the
server 37 via the enterprise network facilities (step S15). The payload may be encrypted by the client. If not, theenterprise server 37 uses the appropriate AES key to encrypt the payload and sends the payload back to thegateway 29 at theaggregator 21. The aggregator forwards the payload through the appropriate gateway to theWDN network 13, which delivers it to the mobile station and thus to the mobile user's device client. Although the message at S16 is routed through theaggregator 21, for security, the aggregator does not decrypt the message. The device client in the mobile station decrypts the payload and presents the IM message to the user at the receiving end, in a normal manner. - As shown, the EIM service provides end-to-end message payload encryption. The actual EIM messages are encrypted at least between the mobile station the enterprise IM server. Also, the key exchanges are encrypted. For example, the enterprise login credentials (username, password, and AES key) are encrypted from the mobile station to the enterprise IM server (see S8 and S9). The use of standard encryption methods such as RSA and AES/3DES within the call flows allows a simple method of ensuring that only authorized users can access the enterprise servers and that the messages will be encrypted by the strongest possible means. The messages can not be decrypted unless the keys are previously known. This ensures that anyone that attempts to access the messages from the wireless environment can not decrypt the messages or the login credentials of the enterprise community.
- As noted earlier, the
aggregator 21 for the EIM service also supports service provisioning in thewireless network 10. It may be helpful at this point to consider an example of a call flow, in which the user can self-provision the mobile device client for the EIM service through thenetwork 10, as outlined in the signal flow diagram ofFIG. 3 . - In a manner similar to the earlier example, assume communication begins after the user has activated the appropriate IM communication client application on the user's
mobile station FIG. 2 . The request message from the device client will include information about the mobile station as well as the user, for example, the mobile directory number (MDN) assigned to theparticular mobiles station - The
aggregator 21 again will attempt to validate the wireless device to ensure that themobile station service control 27 uses information from the login request to formulate an authorization query; and at step S22, theservice control 27 in theaggregator 21 sends this authorization query to theelement 41 that performs the carrier's service authorization function. The carrier's service/feature authorization element uses the MDN to look-up a service profile for the particular mobile station, and it uses the feature code to determine whether or not the profile shows that the particular mobile station is authorized to access the EIM service via the network 10 (step S23). In this second example, assume however that the validation at S3 is unsuccessful because the mobile station is not yet provisioned to receive the EIM service through thenetwork 10. - Based on the result of the authorization determination at S23, the carrier's service/
feature authorization element 41 will respond to the initial query message (from step S22). However, in this example, since the mobile station is not yet authorized to use the EIM service, the authorization element sends back a message (at S24) informing theservice control 27 in the aggregator that the MDN (and thus the particular mobile station) is not provisioned for the EIM service. Hence, at S25,service control 27 in theaggregator 21 sends a message back to the device client requesting that the user sign-up for the EIM service/feature on-line, and the device client causes the mobile station to present the message to the user. Assuming that the user agrees to sign-up for the service, the user inputs appropriate information, and the device client causes the mobile station to initiate a service request transmission in step S26, which theaggregator 21 routes to the carrier's provisioning gateway (gateway 45 inFIG. 1 ) in step S27. The gateway provides an interface to other provisioning element(s) 47 for interaction with the user (S28) to activate the service with respect to the user and the user's mobile station. Although not separately shown, when completed, the provisioning system may enter the EIM feature code in the user/mobile station profile in theelement 41 performing the carrier's service/feature authorization. Provisioning data also may be downloaded into the mobile station. When the provisioning activity with the user is successfully completed, the gateway sends a message indicating successful completion back to the aggregator in step S29, and theaggregator 21 routes that message through to the device client on the user's mobile station in step S30. - Once successfully provisioned, the user can now access the EIM service via the
network 11. Hence, the further communications involve another user login attempt starting with steps S1-S3 and continuing with the additional steps discussed above relative toFIG. 2 . - The aggregator and the associated techniques described herein can be used for other services that require a secure messaging environment with a limited user access.
- While the foregoing has described what are considered to be the best mode and/or other examples, it is understood that various modifications may be made therein and that the subject matter disclosed herein may be implemented in various forms and examples, and that the teachings may be applied in numerous applications, only some of which have been described herein. It is intended by the following claims to claim any and all applications, modifications and variations that fall within the true scope of the present teachings.
- The description above has used a large number of acronyms to refer to various services, messages and system components. Although generally known, use of several of these acronyms is not strictly standardized in the art. For the convenience of the reader, the following list correlates terms to acronyms, as used in the detailed description above.
- 3DES (or TDES)—Triple Data Encryption Algorithm
- 3GPP2—3rd Generation Partnership Project 2
- AAA—Authentication, Authorization and Accounting
- AES—Advanced Encryption Standard
- BREW—Binary Runtime Environment for Wireless
- CSP—Client Server Protocol
- EDR—Electronic Data Reporting
- EIM—Enterprise Instant Messaging
- EVDO—Evolution Data Optimized
- GSM—Global System for Mobile
- IM—Instant Messaging
- IP—Internet Protocol
- LCS—Live Communications Server
- MDN—Mobile Directory Number
- PDA—Personal Digital Assistant
- RSA—Rivest, Shamir and Adleman encryption
- SMS—Short Message Service
- TDMA—Time Division Multiple Access
- VPN—Virtual Private Network
- WDN—Wireless Data Network
Claims (9)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/907,466 US8032165B2 (en) | 2006-10-30 | 2010-10-19 | Enterprise instant message aggregator |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/589,309 US7890084B1 (en) | 2006-10-30 | 2006-10-30 | Enterprise instant message aggregator |
US12/907,466 US8032165B2 (en) | 2006-10-30 | 2010-10-19 | Enterprise instant message aggregator |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/589,309 Division US7890084B1 (en) | 2006-10-30 | 2006-10-30 | Enterprise instant message aggregator |
Publications (2)
Publication Number | Publication Date |
---|---|
US20110035591A1 true US20110035591A1 (en) | 2011-02-10 |
US8032165B2 US8032165B2 (en) | 2011-10-04 |
Family
ID=43535687
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/589,309 Expired - Fee Related US7890084B1 (en) | 2006-10-30 | 2006-10-30 | Enterprise instant message aggregator |
US12/907,466 Expired - Fee Related US8032165B2 (en) | 2006-10-30 | 2010-10-19 | Enterprise instant message aggregator |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/589,309 Expired - Fee Related US7890084B1 (en) | 2006-10-30 | 2006-10-30 | Enterprise instant message aggregator |
Country Status (1)
Country | Link |
---|---|
US (2) | US7890084B1 (en) |
Cited By (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150350250A1 (en) * | 2014-06-02 | 2015-12-03 | Blackberry Limited | System and Method for Switching Between Messaging Security Policies |
US9584493B1 (en) | 2015-12-18 | 2017-02-28 | Wickr Inc. | Decentralized authoritative messaging |
US9584530B1 (en) | 2014-06-27 | 2017-02-28 | Wickr Inc. | In-band identity verification and man-in-the-middle defense |
US9584316B1 (en) | 2012-07-16 | 2017-02-28 | Wickr Inc. | Digital security bubble |
US20170063876A1 (en) * | 2015-08-24 | 2017-03-02 | Cyberlink Corp. | Systems and methods for protecting messages utilizing a hidden restriction mechanism |
US9590958B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure file transfer |
US9591479B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure telecommunications |
US9654288B1 (en) | 2014-12-11 | 2017-05-16 | Wickr Inc. | Securing group communications |
US9698976B1 (en) | 2014-02-24 | 2017-07-04 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US9832208B1 (en) * | 2014-12-23 | 2017-11-28 | Erasable, LLC | System and methods of providing secure messaging environment |
US9830089B1 (en) | 2013-06-25 | 2017-11-28 | Wickr Inc. | Digital data sanitization |
US9866591B1 (en) | 2013-06-25 | 2018-01-09 | Wickr Inc. | Enterprise messaging platform |
US10129260B1 (en) | 2013-06-25 | 2018-11-13 | Wickr Inc. | Mutual privacy management |
TWI649703B (en) * | 2015-03-03 | 2019-02-01 | 遠傳電信股份有限公司 | Enterprise mobility messaging assistant |
US10291607B1 (en) | 2016-02-02 | 2019-05-14 | Wickr Inc. | Providing real-time events to applications |
US10567349B2 (en) | 2013-06-25 | 2020-02-18 | Wickr Inc. | Secure time-to-live |
WO2021216906A1 (en) * | 2020-04-22 | 2021-10-28 | Celona, Inc. | Geo fencing enterprise network with macro pilot signature |
US11240368B2 (en) * | 2016-11-29 | 2022-02-01 | Samsung Electronics Co., Ltd. | Message processing method and electronic device implementing same |
US11330003B1 (en) | 2017-11-14 | 2022-05-10 | Amazon Technologies, Inc. | Enterprise messaging platform |
Families Citing this family (73)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7890096B2 (en) | 2006-03-02 | 2011-02-15 | Tango Networks, Inc. | System and method for enabling call originations using SMS and hotline capabilities |
US8023479B2 (en) * | 2006-03-02 | 2011-09-20 | Tango Networks, Inc. | Mobile application gateway for connecting devices on a cellular network with individual enterprise and data networks |
US7903635B2 (en) | 2006-03-02 | 2011-03-08 | Tango Networks, Inc. | System and method for enabling DTMF detection in a VoIP network |
US11405846B2 (en) | 2006-03-02 | 2022-08-02 | Tango Networks, Inc. | Call flow system and method for use in a legacy telecommunication system |
US8924543B2 (en) | 2009-01-28 | 2014-12-30 | Headwater Partners I Llc | Service design center for device assisted services |
US8635335B2 (en) | 2009-01-28 | 2014-01-21 | Headwater Partners I Llc | System and method for wireless network offloading |
US8924469B2 (en) | 2008-06-05 | 2014-12-30 | Headwater Partners I Llc | Enterprise access control and accounting allocation for access networks |
US8832777B2 (en) | 2009-03-02 | 2014-09-09 | Headwater Partners I Llc | Adapting network policies based on device service processor configuration |
US8275830B2 (en) | 2009-01-28 | 2012-09-25 | Headwater Partners I Llc | Device assisted CDR creation, aggregation, mediation and billing |
US8898293B2 (en) | 2009-01-28 | 2014-11-25 | Headwater Partners I Llc | Service offer set publishing to device agent with on-device service selection |
US8725123B2 (en) | 2008-06-05 | 2014-05-13 | Headwater Partners I Llc | Communications device with secure data path processing agents |
US8402111B2 (en) | 2009-01-28 | 2013-03-19 | Headwater Partners I, Llc | Device assisted services install |
US8626115B2 (en) | 2009-01-28 | 2014-01-07 | Headwater Partners I Llc | Wireless network service interfaces |
US8346225B2 (en) | 2009-01-28 | 2013-01-01 | Headwater Partners I, Llc | Quality of service for device assisted services |
US8391834B2 (en) | 2009-01-28 | 2013-03-05 | Headwater Partners I Llc | Security techniques for device assisted services |
US8340634B2 (en) | 2009-01-28 | 2012-12-25 | Headwater Partners I, Llc | Enhanced roaming services and converged carrier networks with device assisted services and a proxy |
US8589541B2 (en) | 2009-01-28 | 2013-11-19 | Headwater Partners I Llc | Device-assisted services for protecting network capacity |
US8406748B2 (en) | 2009-01-28 | 2013-03-26 | Headwater Partners I Llc | Adaptive ambient services |
US8331901B2 (en) | 2009-01-28 | 2012-12-11 | Headwater Partners I, Llc | Device assisted ambient services |
US8548428B2 (en) | 2009-01-28 | 2013-10-01 | Headwater Partners I Llc | Device group partitions and settlement platform |
US9454737B2 (en) * | 2008-08-29 | 2016-09-27 | International Business Machines Corporation | Solution that leverages an instant messaging system to manage ad hoc business process workflows |
US10492102B2 (en) | 2009-01-28 | 2019-11-26 | Headwater Research Llc | Intermediate networking devices |
US8351898B2 (en) | 2009-01-28 | 2013-01-08 | Headwater Partners I Llc | Verifiable device assisted service usage billing with integrated accounting, mediation accounting, and multi-account |
US9270559B2 (en) | 2009-01-28 | 2016-02-23 | Headwater Partners I Llc | Service policy implementation for an end-user device having a control application or a proxy agent for routing an application traffic flow |
US9572019B2 (en) | 2009-01-28 | 2017-02-14 | Headwater Partners LLC | Service selection set published to device agent with on-device service selection |
US9578182B2 (en) | 2009-01-28 | 2017-02-21 | Headwater Partners I Llc | Mobile device and service management |
US9392462B2 (en) | 2009-01-28 | 2016-07-12 | Headwater Partners I Llc | Mobile end-user device with agent limiting wireless data communication for specified background applications based on a stored policy |
US9980146B2 (en) | 2009-01-28 | 2018-05-22 | Headwater Research Llc | Communications device with secure data path processing agents |
US10783581B2 (en) | 2009-01-28 | 2020-09-22 | Headwater Research Llc | Wireless end-user device providing ambient or sponsored services |
US10057775B2 (en) | 2009-01-28 | 2018-08-21 | Headwater Research Llc | Virtualized policy and charging system |
US10779177B2 (en) | 2009-01-28 | 2020-09-15 | Headwater Research Llc | Device group partitions and settlement platform |
US10064055B2 (en) | 2009-01-28 | 2018-08-28 | Headwater Research Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US9706061B2 (en) | 2009-01-28 | 2017-07-11 | Headwater Partners I Llc | Service design center for device assisted services |
US9647918B2 (en) | 2009-01-28 | 2017-05-09 | Headwater Research Llc | Mobile device and method attributing media services network usage to requesting application |
US10798252B2 (en) | 2009-01-28 | 2020-10-06 | Headwater Research Llc | System and method for providing user notifications |
US10237757B2 (en) | 2009-01-28 | 2019-03-19 | Headwater Research Llc | System and method for wireless network offloading |
US9954975B2 (en) | 2009-01-28 | 2018-04-24 | Headwater Research Llc | Enhanced curfew and protection associated with a device group |
US9565707B2 (en) | 2009-01-28 | 2017-02-07 | Headwater Partners I Llc | Wireless end-user device with wireless data attribution to multiple personas |
US10841839B2 (en) | 2009-01-28 | 2020-11-17 | Headwater Research Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US9557889B2 (en) | 2009-01-28 | 2017-01-31 | Headwater Partners I Llc | Service plan design, user interfaces, application programming interfaces, and device management |
US9755842B2 (en) | 2009-01-28 | 2017-09-05 | Headwater Research Llc | Managing service user discovery and service launch object placement on a device |
US10248996B2 (en) | 2009-01-28 | 2019-04-02 | Headwater Research Llc | Method for operating a wireless end-user device mobile payment agent |
US8793758B2 (en) | 2009-01-28 | 2014-07-29 | Headwater Partners I Llc | Security, fraud detection, and fraud mitigation in device-assisted services systems |
US10264138B2 (en) | 2009-01-28 | 2019-04-16 | Headwater Research Llc | Mobile device and service management |
US8893009B2 (en) | 2009-01-28 | 2014-11-18 | Headwater Partners I Llc | End user device that secures an association of application to service policy with an application certificate check |
US9253663B2 (en) | 2009-01-28 | 2016-02-02 | Headwater Partners I Llc | Controlling mobile device communications on a roaming network based on device state |
US11218854B2 (en) | 2009-01-28 | 2022-01-04 | Headwater Research Llc | Service plan design, user interfaces, application programming interfaces, and device management |
US10484858B2 (en) | 2009-01-28 | 2019-11-19 | Headwater Research Llc | Enhanced roaming services and converged carrier networks with device assisted services and a proxy |
US8745191B2 (en) | 2009-01-28 | 2014-06-03 | Headwater Partners I Llc | System and method for providing user notifications |
US10326800B2 (en) | 2009-01-28 | 2019-06-18 | Headwater Research Llc | Wireless network service interfaces |
US8606911B2 (en) | 2009-03-02 | 2013-12-10 | Headwater Partners I Llc | Flow tagging for service policy implementation |
US9955332B2 (en) | 2009-01-28 | 2018-04-24 | Headwater Research Llc | Method for child wireless device activation to subscriber account of a master wireless device |
US9571559B2 (en) | 2009-01-28 | 2017-02-14 | Headwater Partners I Llc | Enhanced curfew and protection associated with a device group |
US10715342B2 (en) | 2009-01-28 | 2020-07-14 | Headwater Research Llc | Managing service user discovery and service launch object placement on a device |
US9858559B2 (en) | 2009-01-28 | 2018-01-02 | Headwater Research Llc | Network service plan design |
US10200541B2 (en) | 2009-01-28 | 2019-02-05 | Headwater Research Llc | Wireless end-user device with divided user space/kernel space traffic policy system |
US9351193B2 (en) | 2009-01-28 | 2016-05-24 | Headwater Partners I Llc | Intermediate networking devices |
US9154826B2 (en) | 2011-04-06 | 2015-10-06 | Headwater Partners Ii Llc | Distributing content and service launch objects to mobile devices |
US9998919B1 (en) | 2011-11-18 | 2018-06-12 | Google Llc | SMS spoofing protection |
US9887872B2 (en) * | 2012-07-13 | 2018-02-06 | Microsoft Technology Licensing, Llc | Hybrid application environments including hosted applications and application servers for interacting with data in enterprise environments |
US9438598B2 (en) | 2013-02-15 | 2016-09-06 | Verizon Patent And Licensing Inc. | Securely updating information identifying services accessible via keys |
US9154482B2 (en) * | 2013-02-15 | 2015-10-06 | Verizon Patent And Licensing Inc. | Secure access credential updating |
WO2014159862A1 (en) | 2013-03-14 | 2014-10-02 | Headwater Partners I Llc | Automated credential porting for mobile devices |
WO2016160957A1 (en) | 2015-03-31 | 2016-10-06 | Donaldson Willie L | Secure dynamic address resolution and communication system, method, and device |
US10110580B2 (en) * | 2015-03-31 | 2018-10-23 | Willie L. Donaldson | Secure dynamic address resolution and communication system, method, and device |
US10616177B2 (en) | 2015-03-31 | 2020-04-07 | Willie L. Donaldson | Secure dynamic address resolution and communication system, method, and device |
US10523537B2 (en) | 2015-06-30 | 2019-12-31 | Amazon Technologies, Inc. | Device state management |
US9973593B2 (en) * | 2015-06-30 | 2018-05-15 | Amazon Technologies, Inc. | Device gateway |
US10958648B2 (en) | 2015-06-30 | 2021-03-23 | Amazon Technologies, Inc. | Device communication environment |
US10075422B2 (en) | 2015-06-30 | 2018-09-11 | Amazon Technologies, Inc. | Device communication environment |
US10091329B2 (en) | 2015-06-30 | 2018-10-02 | Amazon Technologies, Inc. | Device gateway |
US11341218B2 (en) * | 2019-01-25 | 2022-05-24 | V440 Spólka Akcyjna | Messaging application and electronic communications device providing messaging interface for messaging application |
US11438177B2 (en) * | 2020-02-28 | 2022-09-06 | Vmware, Inc. | Secure distribution of cryptographic certificates |
Citations (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020128036A1 (en) * | 2001-03-09 | 2002-09-12 | Yach David P. | Advanced voice and data operations in a mobile data communication device |
US20030105812A1 (en) * | 2001-08-09 | 2003-06-05 | Gigamedia Access Corporation | Hybrid system architecture for secure peer-to-peer-communications |
US20030130960A1 (en) * | 2001-11-28 | 2003-07-10 | Fraser John D. | Bridging service for security validation within enterprises |
US20030204741A1 (en) * | 2002-04-26 | 2003-10-30 | Isadore Schoen | Secure PKI proxy and method for instant messaging clients |
US20040088546A1 (en) * | 2002-11-06 | 2004-05-06 | Imlogic, Inc | System and method for add-on services, secondary authentication, authorization and/or secure communication for dialog based protocols and systems |
US20040117656A1 (en) * | 2002-12-17 | 2004-06-17 | Sierra Wireless, Inc. A Canadian Corp. | Enterprise access configuration |
US20040162076A1 (en) * | 2003-02-14 | 2004-08-19 | Atul Chowdry | System and method for simplified secure universal access and control of remote networked electronic resources for the purposes of assigning and coordinationg complex electronic tasks |
US20040172531A1 (en) * | 2002-12-09 | 2004-09-02 | Little Herbert A. | System and method of secure authentication information distribution |
US20040198331A1 (en) * | 2003-04-02 | 2004-10-07 | Sun Microsystems, Inc. | System and method for advanced service interaction |
US6856804B1 (en) * | 2000-07-24 | 2005-02-15 | Verizon Wireless | Mobile station internet messaging |
US20050048958A1 (en) * | 2001-03-09 | 2005-03-03 | Gary Mousseau | Advanced voice and data operations in a mobile data communication device |
US20050114652A1 (en) * | 2003-11-26 | 2005-05-26 | Totemo Ag | End-to-end encryption method and system for emails |
US20050154876A1 (en) * | 2003-08-25 | 2005-07-14 | Adrian Buckley | System and method for securing wireless data |
US20060009243A1 (en) * | 2004-07-07 | 2006-01-12 | At&T Wireless Services, Inc. | Always-on mobile instant messaging of a messaging centric wireless device |
US7120455B1 (en) * | 2004-05-20 | 2006-10-10 | Cellco Partnership | Method and system for mobile instant messaging using multiple interfaces |
US20070094337A1 (en) * | 2005-10-21 | 2007-04-26 | Klassen Gerhard D | Instant messaging device/server protocol |
US7240836B2 (en) * | 2004-04-23 | 2007-07-10 | Virtual Fonlink, Inc. | Enhanced system and method for wireless transactions |
US20070162554A1 (en) * | 2006-01-12 | 2007-07-12 | International Business Machines Corporation | Generating a public key and a private key in an instant messaging server |
US20070174399A1 (en) * | 2006-01-26 | 2007-07-26 | Ogle David M | Offline IM chat to avoid server connections |
US7328046B2 (en) * | 2001-02-22 | 2008-02-05 | Nokia Corporation | Communication system |
US20080069315A1 (en) * | 2002-06-04 | 2008-03-20 | Hitachi, Ltd. | Communication system and communication method |
US20080085728A1 (en) * | 2006-10-05 | 2008-04-10 | Verizon Services Corp. | Short message service (sms) data transfer |
US7403972B1 (en) * | 2002-04-24 | 2008-07-22 | Ip Venture, Inc. | Method and system for enhanced messaging |
US20080176541A1 (en) * | 2004-07-15 | 2008-07-24 | At&T Mobility Ii Llc | Customer Service Messaging, Such As on Mobile Devices |
US20090005040A1 (en) * | 2004-02-09 | 2009-01-01 | Proxpro, Inc. | Method and computer system for matching mobile device users for business and social networking |
US7673004B1 (en) * | 2004-08-31 | 2010-03-02 | Face Time Communications, Inc. | Method and apparatus for secure IM communications using an IM module |
-
2006
- 2006-10-30 US US11/589,309 patent/US7890084B1/en not_active Expired - Fee Related
-
2010
- 2010-10-19 US US12/907,466 patent/US8032165B2/en not_active Expired - Fee Related
Patent Citations (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6856804B1 (en) * | 2000-07-24 | 2005-02-15 | Verizon Wireless | Mobile station internet messaging |
US7328046B2 (en) * | 2001-02-22 | 2008-02-05 | Nokia Corporation | Communication system |
US20020128036A1 (en) * | 2001-03-09 | 2002-09-12 | Yach David P. | Advanced voice and data operations in a mobile data communication device |
US20050048958A1 (en) * | 2001-03-09 | 2005-03-03 | Gary Mousseau | Advanced voice and data operations in a mobile data communication device |
US20030105812A1 (en) * | 2001-08-09 | 2003-06-05 | Gigamedia Access Corporation | Hybrid system architecture for secure peer-to-peer-communications |
US20030130960A1 (en) * | 2001-11-28 | 2003-07-10 | Fraser John D. | Bridging service for security validation within enterprises |
US7403972B1 (en) * | 2002-04-24 | 2008-07-22 | Ip Venture, Inc. | Method and system for enhanced messaging |
US20030204741A1 (en) * | 2002-04-26 | 2003-10-30 | Isadore Schoen | Secure PKI proxy and method for instant messaging clients |
US20080069315A1 (en) * | 2002-06-04 | 2008-03-20 | Hitachi, Ltd. | Communication system and communication method |
US20040088546A1 (en) * | 2002-11-06 | 2004-05-06 | Imlogic, Inc | System and method for add-on services, secondary authentication, authorization and/or secure communication for dialog based protocols and systems |
US20040172531A1 (en) * | 2002-12-09 | 2004-09-02 | Little Herbert A. | System and method of secure authentication information distribution |
US20040117656A1 (en) * | 2002-12-17 | 2004-06-17 | Sierra Wireless, Inc. A Canadian Corp. | Enterprise access configuration |
US20040162076A1 (en) * | 2003-02-14 | 2004-08-19 | Atul Chowdry | System and method for simplified secure universal access and control of remote networked electronic resources for the purposes of assigning and coordinationg complex electronic tasks |
US20040198331A1 (en) * | 2003-04-02 | 2004-10-07 | Sun Microsystems, Inc. | System and method for advanced service interaction |
US20050154876A1 (en) * | 2003-08-25 | 2005-07-14 | Adrian Buckley | System and method for securing wireless data |
US20050114652A1 (en) * | 2003-11-26 | 2005-05-26 | Totemo Ag | End-to-end encryption method and system for emails |
US20090005040A1 (en) * | 2004-02-09 | 2009-01-01 | Proxpro, Inc. | Method and computer system for matching mobile device users for business and social networking |
US7240836B2 (en) * | 2004-04-23 | 2007-07-10 | Virtual Fonlink, Inc. | Enhanced system and method for wireless transactions |
US7120455B1 (en) * | 2004-05-20 | 2006-10-10 | Cellco Partnership | Method and system for mobile instant messaging using multiple interfaces |
US20060009243A1 (en) * | 2004-07-07 | 2006-01-12 | At&T Wireless Services, Inc. | Always-on mobile instant messaging of a messaging centric wireless device |
US20080176541A1 (en) * | 2004-07-15 | 2008-07-24 | At&T Mobility Ii Llc | Customer Service Messaging, Such As on Mobile Devices |
US7673004B1 (en) * | 2004-08-31 | 2010-03-02 | Face Time Communications, Inc. | Method and apparatus for secure IM communications using an IM module |
US20070094337A1 (en) * | 2005-10-21 | 2007-04-26 | Klassen Gerhard D | Instant messaging device/server protocol |
US20070162554A1 (en) * | 2006-01-12 | 2007-07-12 | International Business Machines Corporation | Generating a public key and a private key in an instant messaging server |
US20070174399A1 (en) * | 2006-01-26 | 2007-07-26 | Ogle David M | Offline IM chat to avoid server connections |
US20080085728A1 (en) * | 2006-10-05 | 2008-04-10 | Verizon Services Corp. | Short message service (sms) data transfer |
Cited By (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9628449B1 (en) | 2012-07-16 | 2017-04-18 | Wickr Inc. | Multi party messaging |
US9876772B1 (en) | 2012-07-16 | 2018-01-23 | Wickr Inc. | Encrypting and transmitting data |
US9584316B1 (en) | 2012-07-16 | 2017-02-28 | Wickr Inc. | Digital security bubble |
US9729315B2 (en) | 2012-07-16 | 2017-08-08 | Wickr Inc. | Initialization and registration of an application |
US9667417B1 (en) | 2012-07-16 | 2017-05-30 | Wickr Inc. | Digital security bubble |
US10567349B2 (en) | 2013-06-25 | 2020-02-18 | Wickr Inc. | Secure time-to-live |
US10129260B1 (en) | 2013-06-25 | 2018-11-13 | Wickr Inc. | Mutual privacy management |
US9866591B1 (en) | 2013-06-25 | 2018-01-09 | Wickr Inc. | Enterprise messaging platform |
US9830089B1 (en) | 2013-06-25 | 2017-11-28 | Wickr Inc. | Digital data sanitization |
US10382197B1 (en) | 2014-02-24 | 2019-08-13 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US10396982B1 (en) | 2014-02-24 | 2019-08-27 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US9698976B1 (en) | 2014-02-24 | 2017-07-04 | Wickr Inc. | Key management and dynamic perfect forward secrecy |
US9473534B2 (en) * | 2014-06-02 | 2016-10-18 | Blackberry Limited | System and method for switching between messaging security policies |
US20150350250A1 (en) * | 2014-06-02 | 2015-12-03 | Blackberry Limited | System and Method for Switching Between Messaging Security Policies |
US9584530B1 (en) | 2014-06-27 | 2017-02-28 | Wickr Inc. | In-band identity verification and man-in-the-middle defense |
US9654288B1 (en) | 2014-12-11 | 2017-05-16 | Wickr Inc. | Securing group communications |
US9832208B1 (en) * | 2014-12-23 | 2017-11-28 | Erasable, LLC | System and methods of providing secure messaging environment |
TWI649703B (en) * | 2015-03-03 | 2019-02-01 | 遠傳電信股份有限公司 | Enterprise mobility messaging assistant |
US20170063876A1 (en) * | 2015-08-24 | 2017-03-02 | Cyberlink Corp. | Systems and methods for protecting messages utilizing a hidden restriction mechanism |
US10419444B2 (en) * | 2015-08-24 | 2019-09-17 | Cyberlink Corp. | Systems and methods for protecting messages utilizing a hidden restriction mechanism |
US9673973B1 (en) | 2015-12-18 | 2017-06-06 | Wickr Inc. | Decentralized authoritative messaging |
US9590956B1 (en) | 2015-12-18 | 2017-03-07 | Wickr Inc. | Decentralized authoritative messaging |
US9584493B1 (en) | 2015-12-18 | 2017-02-28 | Wickr Inc. | Decentralized authoritative messaging |
US10291607B1 (en) | 2016-02-02 | 2019-05-14 | Wickr Inc. | Providing real-time events to applications |
US9602477B1 (en) | 2016-04-14 | 2017-03-21 | Wickr Inc. | Secure file transfer |
US9590958B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure file transfer |
US9596079B1 (en) | 2016-04-14 | 2017-03-14 | Wickr Inc. | Secure telecommunications |
US9591479B1 (en) | 2016-04-14 | 2017-03-07 | Wickr Inc. | Secure telecommunications |
US11362811B2 (en) | 2016-04-14 | 2022-06-14 | Amazon Technologies, Inc. | Secure telecommunications |
US11405370B1 (en) | 2016-04-14 | 2022-08-02 | Amazon Technologies, Inc. | Secure file transfer |
US11240368B2 (en) * | 2016-11-29 | 2022-02-01 | Samsung Electronics Co., Ltd. | Message processing method and electronic device implementing same |
US11330003B1 (en) | 2017-11-14 | 2022-05-10 | Amazon Technologies, Inc. | Enterprise messaging platform |
WO2021216906A1 (en) * | 2020-04-22 | 2021-10-28 | Celona, Inc. | Geo fencing enterprise network with macro pilot signature |
Also Published As
Publication number | Publication date |
---|---|
US8032165B2 (en) | 2011-10-04 |
US7890084B1 (en) | 2011-02-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8032165B2 (en) | Enterprise instant message aggregator | |
US10237732B2 (en) | Mobile device authentication in heterogeneous communication networks scenario | |
KR101202671B1 (en) | Remote access system and method for enabling a user to remotely access a terminal equipment from a subscriber terminal | |
EP1994715B1 (en) | Sim based authentication | |
EP1819123B1 (en) | Secure method of termination of service notification | |
US8145193B2 (en) | Session key management for public wireless LAN supporting multiple virtual operators | |
US10045213B2 (en) | Method and apparatus for authenticating terminal in mobile communications system | |
EP2195963B1 (en) | Security measures for countering unauthorized decryption | |
JP5952308B2 (en) | Mobile device security | |
US20080130898A1 (en) | Identifiers in a communication system | |
US20070178881A1 (en) | Remotely controlling access to subscriber data over a wireless network for a mobile device | |
EP2790379B1 (en) | Methods and systems for server-initiated activation of device for operation with server | |
US20080263648A1 (en) | Secure conferencing over ip-based networks | |
WO2008076163A2 (en) | Techniques for managing security in next generation communication networks | |
EP2547051B1 (en) | Confidential communication method using vpn, a system and program for the same, and memory media for program therefor | |
CN103795966B (en) | A kind of security video call implementing method and system based on digital certificate | |
CN1977559A (en) | Method and system for protecting information exchanged during communication between users | |
US20230171593A1 (en) | Method of Providing a Communication Function in a User Equipment | |
KR101691109B1 (en) | System, method and server for transmitting security message | |
Khozooyi et al. | Security in mobile governmental transactions | |
EP3032448B1 (en) | Method for authorizing access to information in a telecommunication system | |
US20180212958A1 (en) | Two Factor Authentication Using SMS | |
Wiederkehr | Approaches for simplified hotspot logins with Wi-Fi devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ZAAA | Notice of allowance and fees due |
Free format text: ORIGINAL CODE: NOA |
|
ZAAB | Notice of allowance mailed |
Free format text: ORIGINAL CODE: MN/=. |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: CELLCO PARTNERSHIP D/B/A VERIZON WIRELESS, NEW JER Free format text: NUNC PRO TUNC ASSIGNMENT;ASSIGNORS:DUDZIAK, THADDEUS JUDE;PATEL, BIREN;KUPSH, JERRY;REEL/FRAME:027324/0912 Effective date: 20080818 Owner name: CELLCO PARTNERSHIP (D/B/A VERIZON WIRELESS), NEW J Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DUDZIAK, THADDEUS JUDE;PATEL, BIREN;KUPSH, JERRY;REEL/FRAME:027324/0880 Effective date: 20061218 |
|
FPAY | Fee payment |
Year of fee payment: 4 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20231004 |